Release Engineering

Content:

1.
Project Description

Release Engineering ("releng") is the official Gentoo project focused on
coordinating and improving the creation of official media releases of Gentoo
Linux and other Gentoo operating systems. It is also primarily responsible for
many of the tools used by the installation process, including catalyst, genkernel, and the Gentoo Linux Installer.

2.
Project Goals

The goals of Release Engineering are to continually improve the quality,
timeliness and overall procedures for creating official Gentoo Linux releases,
as well as acting as the official coordinators for creating new Gentoo Linux
release media. This project is very much focused on ensuring that the initial
quality of every official release is as high as possible, and that the "from
CD" experience is as positive for as many of our users as possible.

The deprecated Gentoo Installer project aimed to create a widely extensible install engine that allowed for a diverse set of attended and unattended install options. It was abandoned in 2009, but these pages have been retained for future reference.

Releng/QA Hardware

Release Engineering maintains its own set of hardware for development, testing
and release building, as well as the porting of Gentoo Linux to new
architectures. Currently, this hardware consists of a dual-CPU 900Mhz zx6000
Itanium 2 system with 4GB of RAM on extended loan from HP, and a dual Opteron
AMD64 system built from parts donated by AMD, NVIDIA, The Gentoo Foundation,
and the Gentoo/AMD64 project. All systems are running Gentoo Linux. Access to
these is currently restricted to Release Engineering members. For other
developer hardware, check out the dev
machines page.

5.
Release security & signing

All release media will have its DIGESTS file signed by one of the Gentoo Linux
Release Engineering (releng@gentoo.org) PGP keys listed on this page.
The keys are available through the subkeys.pgp.net keyserver. They can
be used to verify that the media is, in fact, the media shipped by Release
Engineering and not from a potential attacker. You will find more detailed
verification instructions in the handbooks for each release.

New keys and changes to existing keys will be announced to the following
Gentoo mailing lists: gentoo-dev-announce, gentoo-announce, gentoo-core.

Note:
Releases up to and including 2007.0 had PGP signatures directly on top of the
files. This required large quantities of disk IO for generation on the servers,
and validation on the client side. As such, as of the 2008.0 release, the
DIGESTS file is now signed instead, making verification a two-step process, but
overall much quicker.

Note: During 2011, the DIGESTS files were also expanded to contain hashes other
than SHA1 and MD5, to provide more certain validation.

Code Listing 5.1: Obtaining the public key

$ gpg --keyserver subkeys.pgp.net --recv-keys <key id>

Code Listing 5.2: Verify the cryptographic signature

$ gpg --verify <foo.DIGESTS.asc>

Code Listing 5.3: Verify the checksum (at least one of these hashes will exist)